Account guardrail
  • Keep S3 Block Public Access ON at the account and bucket level.
Checks
  • Triage IAM Access Analyzer external access findings
  • Enforce AWS Config rules:
    • s3-bucket-public-read-prohibited
    • s3-bucket-public-write-prohibited
Change control
  • Review any new bucket at creation
  • Track findings to closure in Jira